Here's what's inside DORA GRC — every module across all four pillars, with screenshots showing what it looks like in practice. No demo calls required.
When you log in, you see your overall compliance score, open risks, active incidents, and testing gaps — all on one screen. A setup checklist walks you through the first steps. Most teams have the core modules running within a week.
Assign roles, build your three-tier policy structure, register critical functions, and track assets. 7 modules covering Art. 5–9.
Risk register, threat scenarios, bowtie analysis, control library, and full incident lifecycle from first log to regulatory report.
The coverage matrix shows which CIF functions are tested and which have gaps. Separate TLPT module for entities required to run threat-led pen tests.
Track suppliers, check contracts, flag concentration risk, send due diligence questionnaires, and export the Register of Information for the regulator.
Seven modules covering governance roles, ICT policy structure, critical function classification, asset inventory, business impact, and compliance tracking. Start here — the CIF Register you build in Pillar 1 drives requirements across every other pillar.
| Role | Name | DORA Art. | Review | Status |
|---|---|---|---|---|
| CISO | E. Larsen | Art. 5(2)(a) | 2025-03-01 | Active |
| CIO | M. Bjørnsen | Art. 5(2)(b) | 2025-03-01 | Active |
| DPO | A. Strand | Art. 5(2)(c) | 2025-06-15 | Review Due |
| ICT Risk Officer | K. Dahl | Art. 5(2)(f) | 2025-03-15 | Active |
| Board Member (ICT) | P. Eriksen | Art. 5(2)(j) | 2025-09-01 | New |
Attach every Art. 5 obligation to a named person with a review date. When a review is overdue, it flags on the dashboard — you catch it before an auditor does.
DORA and RTS 2024/1774 require three tiers of ICT documentation. This module tracks what's in place, what's approved, and what's missing — with a completeness percentage you can show auditors.
| Document | Level | Owner | Status |
|---|---|---|---|
| ICT Risk Policy | L1 | Board | Approved |
| Cybersecurity Guidelines | L2 | CISO | Approved |
| Patch Management Routine | L3 | Ops Lead | In Review |
| Incident Response Procedure | L3 | SOC Lead | Gap |
| Function | Criticality | Provider | Outsourced | RTO |
|---|---|---|---|---|
| Core Banking | Critical | FIS Global | Yes | 4h |
| Payment Processing | Critical | Nets A/S | Yes | 2h |
| KYC/AML Engine | Important | Internal | No | 8h |
| Customer Portal | Important | AWS | Yes | 1h |
| Market Data Feed | Critical | Bloomberg | Yes | 30m |
Once you classify functions here as critical or important, the testing gaps, provider oversight obligations, and incident severity thresholds all connect to it automatically. You enter the data once — it works across every pillar.
Nine modules covering risk assessment, threat scenarios, controls, heatmap, bowtie analysis, and the full incident lifecycle. Use the guided wizard for structured assessments, or quick-add to log risks fast. Incidents go from first entry to regulatory report without leaving the platform.
| Risk ID | Description | Score | Treatment | Decision |
|---|---|---|---|---|
R-001 | Ransomware — core banking | 20 Crit | Mitigate | ⚠ Exceeds |
R-002 | Cloud outage — customer portal | 15 High | Transfer | ✓ Within |
R-003 | Insider threat — privileged access | 16 Crit | Mitigate | ⚠ Exceeds |
R-004 | API key exposure | 12 High | Mitigate | ✓ Within |
Each risk can have a bowtie diagram: threats on the left, what happens if it materialises on the right, and the controls sitting between them. It's useful for explaining complex risk scenarios to a board that doesn't want to read a table of numbers.
When an incident comes in, the Classification Wizard applies the Art. 18 severity criteria and tells you whether it's major, significant, or minor. Major incidents open the regulatory reporting workflow with the correct ITS 2024/2956 templates — initial, intermediate, and final reports.
Two modules. The testing programme pulls in your CIF functions and tracks which test types have been run in the past 12 months — gaps show up automatically without any manual checking. If you're required to run TLPT, the second module tracks the five-phase lifecycle from scoping to authority sign-off.
| CIF Function | Vuln Scan | Open-src | Pen Test | Scen Test | BCP | DR | TLPT |
|---|---|---|---|---|---|---|---|
| Core Banking | ✓ | ✓ | ✓ | ⟳ | ✓ | ! | — |
| Payment Processing | ✓ | ✓ | ⟳ | ! | ✓ | ✓ | — |
| KYC/AML Engine | ✓ | ! | ! | — | ✓ | ✓ | — |
| Customer Portal | ✓ | ✓ | ✓ | ✓ | — | — | — |
Each row is a CIF function. Each column is one of the seven DORA test types. Green means tested in the last 12 months, yellow means scheduled, red means gap. As you log test results, the matrix updates — no spreadsheet needed.
If your entity is required to run threat-led penetration tests, this tracks all five phases: scoping, threat intelligence, red team execution, blue team debrief, and final attestation. Everything in one place instead of across email threads and PDFs.
Five modules. The provider register is where you track ICT suppliers and what they support. From there you can check contract clauses, run due diligence questionnaires, monitor concentration risk, and export the Register of Information for your regulator in XBRL/XML format.
| Provider | Country | Type | CIF | CTPP | Contract |
|---|---|---|---|---|---|
| Microsoft Azure | IE 🇮🇪 | Cloud IaaS | Yes | Yes | ✓ Complete |
| FIS Global | US 🇺🇸 | Core Banking | Yes | No | 3 Gaps |
| Nets A/S | DK 🇩🇰 | Payment | Yes | No | ✓ Complete |
| Bloomberg LP | US 🇺🇸 | Market Data | Yes | No | 1 Gap |
| Cisco Systems | US 🇺🇸 | Network | No | No | ✓ Complete |
When a provider is linked to a CIF function, the platform automatically flags the DORA obligations: the eight Art. 30 contract clauses, the exit plan requirement, and the LEI. You can look up legal entity data via GLEIF to fill in provider details without typing.
The board report is generated from live data — no copying numbers into a slide deck. The audit log records every change with a timestamp and username, so you can show exactly what happened and when. Full data export for external auditors in JSON; Register of Information in XBRL/XML.
Pulls live data from all four pillars into a board-ready report. Generate it any time — scores, open risks, active incidents, and what's changed. No slides to update manually.
Assign tasks to team members, link them to specific risks or incidents, and set due dates. Overdue tasks show up on the dashboard — nothing gets lost in email or a shared spreadsheet.
Export all registers as a timestamped, user-attributed JSON file for external auditors. The Register of Information exports in XBRL/XML format for direct submission under ITS 2024/2956.